Privilege Escalation
Last updated
Last updated
After you have a meterpreter session, use the following command to check the user.
We can use BeRoot tool to check for further attack vectors.
uploading with meterpreter. Files go to downloads folder by default
Now run shell and then execute the file. It will list the attack vectors.
Note: Windows privileges can be used to escalated privileges. These privileges include SeDebug, SeRestore & SeBackup & SeTakeOwnership, SeTcb & SeCreateToken, SeLoadDriver, and Selmpersonate & SeAssignPrimaryToken. BeRoot lists all available privileges and highlights if you have one of these tokens.
Gather information with following commands
Useful commands
To modify the timestamp MACE (modified, accessed,created,entry) attributes
To view timestamp entries
-a accessed
-c created
-e entry modified
search -f flag*.txt (in meterpreter)
First get the shell, then use the following command.
CVE (2021-4034)
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
Download and run the script.
open /etc/exports file. This file contains the list of shares you want to share in the network. Add the following entry.
Home directory is shared and root user can perform read/write
restart the server
If we run the nmap scan now, port 2049 will appear as open.
Now install NFS commons
check the mouted folder
Now mount the share
Now move to the directory
to check free space
Now ssh into the machine. Move to the shared directory and run bash and we will get the root shell.
useful commands post exploitation
Now copy nano to current directory and then read shadow file
To see running processes
To view executable binaries
After you have a meterpreter session background it and then use the following exploit
Then once you get a new meterpreter session, use the following command
Using sticky keys to priv esc on Win 11
After the initial meterpreter session, use the following module.
Now set the already priv escalated session in options and exploit it.
Now on Windows 11 , sign in with a normal user and once you press the stick keys(shift 5 times), you will get cmd as admin.
Metasploit has built in module for mimikatz call kiwi.
First get a meterpreter session. Escalate privilege using bypassuac.
In meterpreter load the module
to dump hashes
We can also dump LSA Secrets using the following command. LSA secrets are used to manage local system security policy. it may contain passwords, IE passwords, SQL passwords etc
change the password with kiwi with hash without knowing the original password.